Azure Azure Active Directory Security

Enabling MFA by default for new users using Azure AD Identity Protection

During my session at the Global Azure Boot Camp about Azure Active Directory, somebody for the audience asked me if you enable MFA by default for each user. Using the regular MFA portal (which is still outside the Azure portal), that was not possible.

After some digging and researching, there is a way to do this. However this will require a Azure AD Premium P2 license. Azure AD Premium has a service called Azure Active Directory Identity Protection. This service is very similar to Conditional Access but is completely focused on the Identity Protection part. For example, you can use this service to detect risky sign ins, users at risk, and so much more. At the same time you can use the service to create policy to create remediation for these vulnerabilities.

This is the service you can use to enable MFA by default. Azure AD Identity Protection is the service you need to look for in your Azure Portal. Go to Configuration > MFA registration. Create the right settings for your MFA configuration. If you want to exclude certain users from the MFA requirement, you can do that under Assignments > Users > Exclude. Enforce Policy and click Save

MFAConfiguration.PNG

So time to test this policy. I created a new user on my local Active Directory and synchronized it to my Azure Active Directory. When the users logs in, he gets the following screen, confirming MFA is active.

MFAPolicyTest.PNG

Again you need Azure Active Directory Premium for this, but it does work.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s